Jay and I are back to consider some of the top compliance articles and stories which caught our eye this week. Of course, we look into the MLB sign-stealing scandal which has embroiled the Houston Astros, may embroil the Boston Red Sox and let to the Mets firing their newest manager before he managed one game. All this and more in the Say it ain’t so edition.

  1. MLB lays down the hammer on the Astros. Are the Red Sox next? Tom’s multipart series, Part 1, Part 2and Part 3. His cognitive dissonance is explored in the FCPA Blog.
  2. Mike Volkov says its time to move from reactive to proactive compliance, in a 3-part series on Corrruption Crime and Compliance. Part 1, Part 2 and Part 3
  3. What do DOJ changes mean for the compliance practitioner? Jay explores in his CCI
  4. What is the SEC Enforcement Network? Verity Winship explains in NYU’s Compliance and Enforcement Blog.
  5. Will the Fraud Section now refocus on commodities trading cases? Aitan Goelman in NYU’s Compliance and Enforcement Blog.
  6. What are Red Flags? Gini Dietrich explains in Spin Sucks. Harry Cassin says look out for expensive watches, in the FCPA Blog.
  7. Corporate governance and behavioral ethics, all in the Harvard Law Review on Corporate Governance.
  8. The trouble with transparency. Vera Cherepanova explains in the FCPA Blog.
  9. How Queen informs your compliance program (Hint: Pressure). Matt Kelly, the coolest guy in compliance in Radical Compliance.
  10. On the Compliance Podcast Network, Tom continues his 31 Days to a More Effective Compliance Program series.This week saw the following offerings: Day 13 reviews institutional justice ; Day 14considers risk assessments; Day 15 looks at evaluating a risk assessment; Day 16 details the 3rd party risk management process; Day 17 explains how to manage a 3rd Note 31 Days to a More Effective Compliance Program now has its own iTunes channel. If you want to binge out and listen to only these episodes, click here.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.

JANUARY 17, 2020 2019 BY TOM FOX

In today’s edition of the Daily Compliance News:

  • Judge overseeing PG&E bankruptcy wants to see the plan. (Bloomberg)
  • ENI skates. (Reuters)
  • Mets official blasts MLB whistleblower. (com)
  • China pushes belt and road. Are you ready? (NYT)

As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) devotes an entire prong to third-party management. It begins with the following: A well-designed compliance program should apply risk-based due diligence to its third-party relationships.  Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions. 

This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2012 FCPA Guidance and in the Ten Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

  1. Business Justification;
  2. Questionnaire to Third-party;
  3. Due Diligence on Third-party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Business Justification. The purpose of the business justification is to document the satisfactoriness of the business case to retain a third-party. The business justification should be included in the compliance review file assembled on every third-party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document be filled out and completed by the business sponsor, who will be the primary contract with the third-party for the life of the business relationship.

Questionnaire. The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. This requirement is not only a key step but also a mandatory step for any third-party that desires to do work with your company. If a third-party does not want to fill out the questionnaire or will not fill it out completely; run, don’t walk, away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries. However, most proposed agents that have done business with U.S. or U.K. companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to U.S. businesses.

Due diligence. Most compliance practitioners understand the need for a robust due diligence program to investigate third parties but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

The purpose is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from engaging in bribery and corruption on their behalf. Due diligence acts as both a procedure for anti-bribery risk assessment and a risk mitigation technique. Further, both operate as compliance internal controls.

After you have completed Steps 1-3 you are ready to move onto to Step 4, the contract. According to the 2012 FCPA Guidance, “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third-party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

The contract. You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are red flags, which have appeared, these red flags must be cleared, or you must demonstrate how you will manage the risks identified. In other words, you must document that you have read, synthesized and evaluated the information garnered in the business justification, questionnaire and due diligence steps beforehand. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a “check the box” exercise.

Management of the relationship. While the work done in the four steps above are absolutely critical, if you do not manage the relationship it can all go downhill very quickly, and you might find yourself with a potential FCPA violation. There are several different ways that you should manage your post-contract relationship. The 2019 Evaluation clearly is focused on several key components that you need to evaluate and then re-evaluate during the pendency of the relationship. Incentivizing through compensation issues, training and ongoing monitoring through oversight and auditing are all key tools that the DOJ expects you to use going forward after the contract is signed.

Three key takeaways:

  1. Use the full 5-step process for third party management.
  2. Make sure you have business development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.

Richard Lummis and I are back. Today, we take a look at leadership lessons from a trifecta of failed leaders, including Adam Neumann, the founder and former CEO of WeWork, Elizabeth Holmes, founder and former CEO of Theranos and Travis Kalanick, founder and former CEO of Uber.

Highlights of this podcast include:

  1. What happens when charismatic leaders have disruptive visions?
  2. What happens when a brilliant jerk is a CEO?
  3. They all had and maintained asymmetrical power, total control and maintained dual-class ownership structures.
  4. What happens when the CEO creates a cult of personality?
  5. All three valued opaqueness over transparency so that they could control the flow of information.
  6. Where was the Board of Directors?

Resources

Is Your CEO Brilliant, a Jerk or Both?

When to fire the boss?

CEOs are not here to save us

JANUARY 16, 2020 2019 BY TOM FOX

In today’s edition of the Daily Compliance News:

  • We always knew he believed in bribery but Trump tried to unilaterally repeal the FCPA. (NYT)
  • Goldman stock falls as 1MDB settlement nears. (WSJ)
  • Red Sox fire Alex Cora, wait for MLB to drop the hammer. (WSJ)
  • What’s wrong with keeping petty cash at home? (Daily Mail)